Packages changed:
  SDL2 (2.28.5 -> 2.30.0)
  c-ares (1.20.1 -> 1.26.0)
  distribution-logos-openSUSE (20230921 -> 20240207)
  fwupd (1.9.12 -> 1.9.13)
  gstreamer-plugins-bad
  libzypp (17.31.28 -> 17.31.31)
  lzip (1.23 -> 1.24)
  man
  numactl (2.0.17.8.g67984e5 -> 2.0.18.0.g3871b1c)
  polkit-default-privs (1550+20231213.09963a4 -> 1550+20240207.d833f4b)
  postgresql
  postgresql16 (16.1 -> 16.2)
  pulseaudio (16.1 -> 17.0)
  python-mysqlclient (2.2.1 -> 2.2.4)
  python-typing_extensions
  selinux-policy (20240116 -> 20240205)
  yast2-network (5.0.1 -> 5.0.2)

=== Details ===

==== SDL2 ====
Version update (2.28.5 -> 2.30.0)

- Update to release 2.30
  * Added support for 2 bits-per-pixel indexed surface formats.
  * Added the function SDL_GameControllerGetSteamHandle() to get
    the Steam API handle for a controller, if available.
  * Added the event SDL_CONTROLLERSTEAMHANDLEUPDATED which is sent
    when the Steam API handle for a controller changes. This could
    also change the name, VID, and PID of the controller.
  * Added the environment variable SDL_LOGGING to control default
    log output.

==== c-ares ====
Version update (1.20.1 -> 1.26.0)

- Ensure multibuild flavors result in different src names.
- c-ares 1.26.0:
  * Event Thread support. Integrators are no longer required to
    monitor the file descriptors registered by c-ares for events
    and call ares_process() when enabling the event thread feature
    via ARES_OPT_EVENT_THREAD passed to ares_init_options().
  * Added flags to are_dns_parse() to force RAW packet parsing
  * Mark ares_fds() as deprecated
  * Bug fixes
- move tests into a build flavor to avoid gtest/gmock build loop
- Update to version 1.25
  Changes:
  o Rewrite ares_strsplit() as a wrapper for ares__buf_split() for memory
  safety reasons.
  o The ahost utility now uses ares_getaddrinfo() and returns both IPv4 and
  IPv6 addresses by default.
  Bug Fixes:
  o Tests: Live reverse lookups for Google's public DNS servers no longer
  return results, replace with CloudFlare pubic DNS servers.
  o Connection failures should increment the server failure count first or a
  retry might be enqueued to the same server
  o On systems that don't implement the ability to enumerate network interfaces
  the stubs used the wrong prototype.
  o Fix minor warnings and documentation typos
  o Fix support for older GoogleTest versions
  o getrandom() may require sys/random.h on some systems.
  o Fix building tests with symbol hiding enabled.
- 0001-Use-RPM-compiler-options.patch: dropped, obsolete
- Update to version 1.24
  Features:
  * Add support for IPv6 link-local DNS servers. Nameserver formats
    can now accept the 0face suffix, and a new ares_get_servers_csv()
    function was added to return servers that can contain the link-local
    interface name.
  Changes:
  * Unbundle GoogleTest for test cases. Package maintainers will now
    need torequire GoogleTest (GMock) as a build dependency if
    building tests. New GoogleTest versions require C++14 or later.
  * Replace nameserver parsing code to use new memory-safe functions.
  * Replace the sortlist parser with new memory-safe functions.
  * Various warning fixes and dead code removal.
  Bugfixes:
  * Old Linux versions require POSIX_C_SOURCE or _GNU_SOURCE to
  compile with thread safety support
  * A non-responsive DNS server that caused timeouts wouldn't
  increment thefailure count, this would lead to other servers
  not being tried. Regression introduced in 1.22.0
  * Some projects that depend on c-ares expect invalid parameter
  option valuespassed into ares_init_options() to simply be
  ignored. This behavior has been restored
  * getrandom() can fail if the kernel doesn't support
  the syscall, fall back to another random source
  * ares_cancel() when performing ares_gethostbyname() or
  ares_getaddrinfo()with AF_UNSPEC, if called after one address
  class was returned but before the other address class, it
  would return ARES_SUCCESS rather than ARES_ECANCELLED
- disable-live-tests.patch: dropped, not needed
- Update to version 1.23
  Features:
    Introduce optional (but on by default) thread-safety for the c-ares library. This has no API nor ABI implications.
    resolv.conf in modern systems uses attempts and timeouts options instead of the old retrans and retry options.
    Query caching support based on TTL of responses. Can be enabled via ares_init_options() with ARES_OPT_QUERY_CACHE.
  Bugfixes:
    ares_init_options() for ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT accept theport in host byte order, but it was reading it as network byte order. Regression introduced in 1.20.0.
    ares_init_options() for ARES_FLAG_NOSEARCH was not being honored forares_getaddrinfo() or ares_gethostbyname(). Regression introduced in 1.16.0.
    Autotools MacOS and iOS version check was failing
    Environment variables passed to c-ares are meant to be an override for system configuration. Regression introduced in 1.22.0.
    Spelling fixes as detected by codespell.
    The timeout returned by ares_timeout() was truncated to milliseconds butvalidated to microseconds which could cause a user to attempt to process timeouts prior to the timeout actually expiring.
    CMake was not honoring CXXFLAGS passed in via the environment which couldcause compile and link errors with distribution hardening flags during packaging.
    Fix Windows UWP and Cygwin compilation.
    ares_set_servers_*() for legacy reasons needs to accept an empty server listand zero out all servers. This results in an inoperable channel and thus is only used in simulation testing, but we don't want to break users. Regression introduced in 1.21.0.
  Changes in version 1.22.1
  Bugfixes:
    Fix /etc/hosts processing performance with all entries using same IPaddress. Large hosts files using the same IP address for all entries could use exponential time.
    Fix typos in manpages
    Fix OpenWatcom building
  Changes in version 1.22.0
  Features:
    ares_reinit() is now implemented to re-read any system configuration and immediately apply to an existing ares channel
    The adig command line program has been rewritten and its format now more closely matches that of BIND's dig utility
    The new DNS message parser and writer functions have now been made public
    RFC9460 HTTPS and SVCB records are now supported
    RFC6698 TLSA records are now supported
    The server list is now internally dynamic and can be changed without impacting existing queries
    Hosts file processing is now cached until the file is detected to be changed to speed up repetitive lookups of large hosts files
  Changes:
    Internally all DNS messages are now written using the new DNS writing functions
    EDNS is now enabled by default
    Internal cleanups in function prototypes
  Bugfixes:
    Randomize retry penalties to prevent thundering herd issues when dns servers throttle requests
    Fix Windows build error for missing if_indextoname()
- update to 1.21.0:
  * Replace multiple DNS hand-made parsers with new memory-safe DNS
    message parser
  * developer visible changes and bug fixes

==== distribution-logos-openSUSE ====
Version update (20230921 -> 20240207)
Subpackages: distribution-logos-openSUSE-Tumbleweed distribution-logos-openSUSE-icons

- switch to a service using zstd
- list the source url
- Update Leap 15.6 branding poo#131666

==== fwupd ====
Version update (1.9.12 -> 1.9.13)
Subpackages: fwupd-bash-completion fwupd-lang libfwupd2 typelib-1_0-Fwupd-2_0

- Update to version 1.9.13:
  + This release adds the following features:
  - Add a timer inhibit if the daemon took a long time to
    startup.
  - Add a concept of 'Test Mode' rather than enabling specific
    plugins.
  - Do not idle-quit the daemon if there is a connected D-Bus
    client.
  + This release fixes the following bugs:
  - Allow plugins to opt-out of the child-device first depsolve.
  - Allow setting multiple flags in LVFS::DeviceFlags.
  - Do not migrate config comments for removed keys.
  - Do not request the Advantech BMC to reboot.
  - Do not warn the user about ESP when using MBR.
  - Fix a critical warning when adding a PixArt wireless device.
  - Fix migration of legacy config files.
  - Only save config values to the mutable config file.
  - Parse DS-20 descriptors earlier in device setup.
  - Store the version format in the history database to fix
    offline reports.
  - Use the correct GUID for matching realtek-mst and
    parade-lspcon.
  + This release adds support for the following hardware:
  - GoodWay Acer Dock.

==== gstreamer-plugins-bad ====
Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0

- Require libvpl only on supported architectures (x86_64 and aarch64)

==== libzypp ====
Version update (17.31.28 -> 17.31.31)

- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
  output.
- version 17.31.31 (22)
- applydeltaprm: Create target directory if it does not exist
  (bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
  bsc#1215698)
- version 17.31.30 (22)
- CheckAccessDeleted: fix running_in_container detection
  (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
  (bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
  (openSUSE/zypper#522)
  This patch adds a mechanism to signal libzypp that a shutdown was
  requested, usually when CTRL+C was pressed by the user. Currently
  only the media backend will utilize this, but can be extended to
  all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
  Using curl_easy_perform does not give us the required control on
  when we want to cancel a download. Switching to the MultiCurl
  implementation with a external poll() event loop will give us
  much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)

==== lzip ====
Version update (1.23 -> 1.24)

- Update to release 1.24
  * Added the command-line switches --empty-error and
  - -marking-error
  * The option -o/--output now preserves dates, permissions, and
    ownership of the file when (de)compressing exactly one file.
  * The option -o/--output now creates missing intermediate
    directories when writing to a file.

==== man ====

- Make lua scriplets more failsafe (boo#1219370)

==== numactl ====
Version update (2.0.17.8.g67984e5 -> 2.0.18.0.g3871b1c)
Subpackages: libnuma1

- Update to version 2.0.18.0.g3871b1c:
  * Increase version number to 2.0.18
  * man pages: fix table include preprocessor

==== polkit-default-privs ====
Version update (1550+20231213.09963a4 -> 1550+20240207.d833f4b)

- Update to version 1550+20240207.d833f4b:
  * profiles: remove no longer used device-rebind action

==== postgresql ====
Subpackages: postgresql-contrib postgresql-server

- bsc#1219340: Require fillup.

==== postgresql16 ====
Version update (16.1 -> 16.2)
Subpackages: libpq5 postgresql16-contrib postgresql16-server

- Upgrade to 16.2:
  * bsc#1219679, CVE-2024-0985: Tighten security restrictions
    within REFRESH MATERIALIZED VIEW CONCURRENTLY.
    One step of a concurrent refresh command was run under weak
    security restrictions. If a materialized view's owner could
    persuade a superuser or other high-privileged user to perform a
    concurrent refresh on that view, the view's owner could control
    code executed with the privileges of the user running REFRESH.
    Fix things so that all user-determined code is run as the
    view's owner, as expected
  * If you use GIN indexes, you may need to reindex after updating
    to this release.
  * LLVM 18 is now supported.
  * https://www.postgresql.org/docs/release/16.2/

==== pulseaudio ====
Version update (16.1 -> 17.0)
Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-setup pulseaudio-utils system-user-pulse

- Update to version 17.0:
  * Updates to ALSA UCM-based setups
  * Battery level indication to Bluetooth devices
  * Support for the Bluetooth FastStream codec
  * webrtc-audio-processing dependency updated
  * Trigger role groups added to module-role-cork
  * XDG base directory spec for profile-set loading
  * PA_RATE_MAX increased
  * webrtc-audio-processing dependency updated
  For details, see:
    https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/17.0/
- Drop obsoleted patches:
  echo-cancel-add-webrtc-AEC3-support.patch
  build-sys-Bump-cpp_std-to-c-17.patch
  build-sys-Bump-webrtc-audio-processing-dependency.patch

==== python-mysqlclient ====
Version update (2.2.1 -> 2.2.4)

- update to 2.2.4:
  * Support ssl=True in connect().

==== python-typing_extensions ====

- Add backport-recent-implementation-of-protocol.patch upstream patch
  gh#python/typing_extensions@004b893ddce2

==== selinux-policy ====
Version update (20240116 -> 20240205)
Subpackages: selinux-policy-targeted

- Update to version 20240205:
  * Allow gpg manage rpm cache
  * Allow login_userdomain name_bind to howl and xmsg udp ports
  * Allow rules for confined users logged in plasma
  * Label /dev/iommu with iommu_device_t
  * Remove duplicate file context entries in /run
  * Dontaudit getty and plymouth the checkpoint_restore capability
  * Allow su domains write login records
  * Revert "Allow su domains write login records"
  * Allow login_userdomain delete session dbusd tmp socket files
  * Allow unix dgram sendto between exim processes
  * Allow su domains write login records
  * Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
  * Allow chronyd-restricted read chronyd key files
  * Allow conntrackd_t to use bpf capability2
  * Allow systemd-networkd manage its runtime socket files
  * Allow init_t nnp domain transition to colord_t
  * Allow polkit status systemd services
  * nova: Fix duplicate declarations
  * Allow httpd work with PrivateTmp
  * Add interfaces for watching and reading ifconfig_var_run_t
  * Allow collectd read raw fixed disk device
  * Allow collectd read udev pid files
  * Set correct label on /etc/pki/pki-tomcat/kra
  * Allow systemd domains watch system dbus pid socket files
  * Allow certmonger read network sysctls
  * Allow mdadm list stratisd data directories
  * Allow syslog to run unconfined scripts conditionally
  * Allow syslogd_t nnp_transition to syslogd_unconfined_script_t
  * Allow qatlib set attributes of vfio device files
  * Allow systemd-sleep set attributes of efivarfs files
  * Allow samba-dcerpcd read public files
  * Allow spamd_update_t the sys_ptrace capability in user namespace
  * Allow bluetooth devices work with alsa
  * Allow alsa get attributes filesystems with extended attributes
  * Allow hypervkvp_t write access to NetworkManager_etc_rw_t
  * Add interface for write-only access to NetworkManager rw conf
  * Allow systemd-sleep send a message to syslog over a unix dgram socket
  * Allow init create and use netlink netfilter socket
  * Allow qatlib load kernel modules
  * Allow qatlib run lspci
  * Allow qatlib manage its private runtime socket files
  * Allow qatlib read/write vfio devices
  * Label /etc/redis.conf with redis_conf_t
  * Remove the lockdown-class rules from the policy
  * Allow init read all non-security socket files
  * Replace redundant dnsmasq pattern macros
  * Remove unneeded symlink perms in dnsmasq.if
  * Add additions to dnsmasq interface
  * Allow nvme_stas_t create and use netlink kobject uevent socket
  * Allow collectd connect to statsd port
  * Allow keepalived_t to use sys_ptrace of cap_userns
  * Allow dovecot_auth_t connect to postgresql using UNIX socket
  * Make named_zone_t and named_var_run_t a part of the mountpoint attribute
  * Allow sysadm execute traceroute in sysadm_t domain using sudo
  * Allow sysadm execute tcpdump in sysadm_t domain using sudo
  * Allow opafm search nfs directories
  * Add support for syslogd unconfined scripts
  * Allow gpsd use /dev/gnss devices
  * Allow gpg read rpm cache
  * Allow virtqemud additional permissions
  * Allow virtqemud manage its private lock files
  * Allow virtqemud use the io_uring api
  * Allow ddclient send e-mail notifications
  * Allow postfix_master_t map postfix data files
  * Allow init create and use vsock sockets
  * Allow thumb_t append to init unix domain stream sockets
  * Label /dev/vas with vas_device_t
  * Create interface selinux_watch_config and add it to SELinux users
  * Update cifs interfaces to include fs_search_auto_mountpoints()
  * Allow sudodomain read var auth files
  * Allow spamd_update_t read hardware state information
  * Allow virtnetworkd domain transition on tc command execution
  * Allow sendmail MTA connect to sendmail LDA
  * Allow auditd read all domains process state
  * Allow rsync read network sysctls
  * Add dhcpcd bpf capability to run bpf programs
  * Dontaudit systemd-hwdb dac_override capability
  * Allow systemd-sleep create efivarfs files
  * Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
  * Allow graphical applications work in Wayland
  * Allow kdump work with PrivateTmp
  * Allow dovecot-auth work with PrivateTmp
  * Allow nfsd get attributes of all filesystems
  * Allow unconfined_domain_type use io_uring cmd on domain
  * ci: Only run Rawhide revdeps tests on the rawhide branch
  * Label /var/run/auditd.state as auditd_var_run_t
  * Allow fido-device-onboard (FDO) read the crack database
  * Allow ip an explicit domain transition to other domains
  * Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t
  * Allow  winbind_rpcd_t processes access when samba_export_all_* is on
  * Enable NetworkManager and dhclient to use initramfs-configured DHCP connection
  * Allow ntp to bind and connect to ntske port.

==== yast2-network ====
Version update (5.0.1 -> 5.0.2)

- Consider firmware configured interfaces as non bridgeable
  (bsc#1218595).
- 5.0.2